issue on access to wbinterface of Mikrotik

mersiuse · June 10, 2018, 10:57am

Hi all
i’m a bit new on mikrotik
i had access to web console but now i can’t see the web console
i’m getting time out and connection was reset while trying to connect to web console
below is ma configuration , there is nothing to drop or block
as you can see in below in it’s freeze when i tried to ip service export in terminal !

below is filters

[admin@MikroTik] /ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept protocol=tcp dst-address=192.168.0.150 
      in-interface=LAN_ether2 dst-port=22 log=no log-prefix="" 

 1    chain=input action=drop protocol=tcp src-address-list=ftp_blacklist 
      dst-port=21 log=no log-prefix="" 

 2    chain=output action=accept protocol=tcp content=503 Login incorrect 
      dst-limit=1/1m,9,dst-address/1m log=no log-prefix="" 

 3    chain=output action=add-dst-to-address-list protocol=tcp 
      address-list=ftp_blacklist address-list-timeout=3h 
      content=530 Login incorrect log=no log-prefix="" 

 4    ;;; drop ssh brute forcers
      chain=input action=drop protocol=tcp src-address-list=ssh_blacklist 
      dst-port=22 log=no log-prefix="" 

 5    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist 
      address-list-timeout=1w3d dst-port=22 log=no log-prefix="" 

 6    chain=input action=accept connection-state=new protocol=tcp dst-port=22 
      log=no log-prefix="" 

 7    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 
      address-list-timeout=1m dst-port=22 log=no log-prefix="" 

 8    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 
      log=no log-prefix="" 

 9    ;;; remote_logins
      chain=input action=add-src-to-address-list protocol=tcp 
      address-list=trying_to_login address-list-timeout=1d dst-port=20-30 
      log=no log-prefix="" 

10    ;;; drop telnet rute forcers
      chain=input action=drop protocol=tcp src-address-list=black_list 
      dst-port=23 log=no log-prefix="" 

11    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=telnet_stage3 address-list=black_list 
      address-list-timeout=1d dst-port=23 log=no log-prefix="" 

12    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=telnet_stage2 address-list=telnet_stage3 
      address-list-timeout=1m dst-port=23 log=no log-prefix="" 

13    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=telnet_stage1 address-list=telnet_stage3 
      address-list-timeout=1m dst-port=23 log=no log-prefix="" 

14    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp address-list=telnet_stage1 address-list-timeout=1m 
      dst-port=23 log=no log-prefix="" 

15    ;;; log blacklisted ssh brute forcers
      chain=input action=log protocol=tcp src-address-list=ssh_blacklist 
      dst-port=22 log-prefix="SSH-blacklisted" 

16    chain=prerouting action=log protocol=tcp dst-address-type=local 
      in-interface=PPOE-main dst-port=80

and here is my NAT rules

[admin@MikroTik] /ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=forward action=accept protocol=tcp dst-address=192.168.0.150 
      in-interface=LAN_ether2 dst-port=22 log=no log-prefix="" 

 1    chain=input action=drop protocol=tcp src-address-list=ftp_blacklist 
      dst-port=21 log=no log-prefix="" 

 2    chain=output action=accept protocol=tcp content=503 Login incorrect 
      dst-limit=1/1m,9,dst-address/1m log=no log-prefix="" 

 3    chain=output action=add-dst-to-address-list protocol=tcp 
      address-list=ftp_blacklist address-list-timeout=3h 
      content=530 Login incorrect log=no log-prefix="" 

 4    ;;; drop ssh brute forcers
      chain=input action=drop protocol=tcp src-address-list=ssh_blacklist 
      dst-port=22 log=no log-prefix="" 

 5    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist 
      address-list-timeout=1w3d dst-port=22 log=no log-prefix="" 

 6    chain=input action=accept connection-state=new protocol=tcp dst-port=22 
      log=no log-prefix="" 

 7    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 
      address-list-timeout=1m dst-port=22 log=no log-prefix="" 

 8    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 
      log=no log-prefix="" 

 9    ;;; remote_logins
      chain=input action=add-src-to-address-list protocol=tcp 
      address-list=trying_to_login address-list-timeout=1d dst-port=20-30 
      log=no log-prefix="" 

10    ;;; drop telnet rute forcers
      chain=input action=drop protocol=tcp src-address-list=black_list 
      dst-port=23 log=no log-prefix="" 

11    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=telnet_stage3 address-list=black_list 
      address-list-timeout=1d dst-port=23 log=no log-prefix="" 

12    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=telnet_stage2 address-list=telnet_stage3 
      address-list-timeout=1m dst-port=23 log=no log-prefix="" 

13    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp src-address-list=telnet_stage1 address-list=telnet_stage3 
      address-list-timeout=1m dst-port=23 log=no log-prefix="" 

14    chain=input action=add-src-to-address-list connection-state=new 
      protocol=tcp address-list=telnet_stage1 address-list-timeout=1m 
      dst-port=23 log=no log-prefix="" 

15    ;;; log blacklisted ssh brute forcers
      chain=input action=log protocol=tcp src-address-list=ssh_blacklist 
      dst-port=22 log-prefix="SSH-blacklisted" 

16    chain=prerouting action=log protocol=tcp dst-address-type=local 
      in-interface=PPOE-main dst-port=80

i tried to log but nothing get !!

[admin@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU
 0  R  LAN_ether2                          ether            1500  1596       2026
 1  R  WAN_ether1                          ether            1500  1596       2026
 2  R  ac_point_ether3                     ether            1500  1596       2026
 3     ether4                              ether            1500  1596       2026
 4     ether5                              ether            1500  1596       2026
 5  R  PPOE-main                           pppoe-out        1480

also please note that i tried to change the www port to 8088 or 8000 but it dosent worked also i disabled all nat and filter rules but same

mersiuse · June 10, 2018, 11:00am

Actually i don’t have access to webfig from internal ! 192.168.0.1
i can access to winbox and ssh by 192.168.0.1 and public IP from internal and outside of network!
just the issue is regarding webgif which i need to have access for graphs

anav · June 10, 2018, 11:08am

The first thing you should do is reset your router and start from scratch using the latest OS!

mersiuse · June 10, 2018, 12:14pm

thanks for your reply
but why should i reset the router ?!

anav · June 10, 2018, 12:45pm

You are using a very old version of the firmware that was hackable and thus to safe I would reset to defaults and start from scratch.

It must means a little bit of manual work…
Save your config in terminal.

/export file=startoverconfig

download it to your pc.

Then use it in winbox and terminal to populate your router section by section. (copy and paste)
After review and satisfied the section is what you want to have…

Personally I would get rid of most of your extra firewall rules and keep it simple for now until all the main functionality you want is up and running.

anav · June 10, 2018, 12:57pm

I would close all services except ssh and winbox
I would change ssh port to something else like 2344 something random (but right it down somewhere so you rememeber)
Change ssh crypto to strong.

Create an input chain rule that only allows access from the admin to your router - basically from the in-interface lan source-address-list=adminaccess
in firewall address list add the pcs or subnet on the lan that you wish to be able to access the router.

Get rid of all your ssh, blacklist and other crap rules and those outgoing chain rules for now, keep it simple and basic at the start.

{for both input and forward chains}
accept established ,related, untracked
drop invalid
allow rules for traffic
drop everything else

ex. input chain
accept in-interface=lan source-address-list=adminaccess
accept in-interface=lan tcp& udp dest-port 53 (allow users to get DNS from the router).

ex. forward chain
accept in-interface=lan out-interface=wan (lan to wan internet traffic)

Once that is up and running we can look at the rest to see what is actually worth keeping.